Electronic Health Records (EHRs) and HIPAA

There are new initiatives for electronic health record (EHR) systems which are designed to reduce cost and provide better quality health care. “The United States American Recovery and Reinvestment Act (ARRA) of 2009 provides up to $34 billion for meaningful use of certified EHR systems.” (Smith, 2010, p. 1). The idea for these systems is based on the idea of a National Health Information Network (NHIN). Healthcare providers will have until 2014 to get their EHR systems certified. If a healthcare provider is unable to certify by 2014, they not only lose their share of the $34 billion dollars. (Smith, 2010, p. 1). The certification process is conducted by the Certification Commission of Healthcare IT (CCHIT). National Institute of Standards and Technology (NIST) is developing a set of conformance test methods, including procedures, data, and tools to ensure compliance with the meaningful use of technical requirements and standards.” (Smith, 2010, p. 2).

Among the security concerns is a concern that the privacy of health records will be compromised. All of these EHR systems must also be HIPAA compliant. In Smith’s research, he was able to successfully able to exploit the system using an insider attack. Once into the system, he was then able to change his user level to administrator. He was also able to exploit JavaScript on one machine and use SQL injection to hack into another. He found both machines wide open and vulnerable to attack. Another potential issue will be to assure that all health care systems can share information. A Service-Oriented Architecture (SOA) has been recommended as a solution for this issue. (Gupta & Murtaza, 2009, p. 24).

The United States Congress also allocated $1.1 billion in the American Recovery and Reinvestment Act of 2009 for comparative effectiveness of healthcare research. In addition, they allocated over $500 million annually under the Patient Protection and Affordable Care Act of 2010. (Peddicord, Waldo, Boutin, Grande, & Gutierrez, 2010, p. 2082).They also made changes to HIPAA that could impact this very same research. In the HIPAA universe, health information can be divided into one of two categories: protected health information, which identifies and individual or provides a reasonable basis for identifying and individual; and deidentified data, which do not identify or provide a reasonable basis for identifying an individual. (Peddicord et al., 2010, p. 2083).

The new changes also prohibit the sale of any electronic health information. Researchers are concerned that they may not be able to provide timely research due to the new constraints. There are new initiatives for electronic health record (EHR) systems which are designed to reduce cost and provide better quality health care. “The United States American Recovery and Reinvestment Act (ARRA) of 2009 provides up to $34 billion for meaningful use of certified EHR systems.” (Smith, 2010, p. 1). The certification process is conducted by the Certification Commission of Healthcare IT (CCHIT). There are security criteria that must be met by the EHR systems in order for the system to be certified.

Among the security concerns is a concern that the privacy of health records will be compromised. The health records are regulated by HIPAA rules. Two current proposed EHR systems, an open-source based and a proprietary based system were tested and both systems were easily compromised. The researchers recommend that the security testing be performed earlier in the development cycle, so that security will be built into the system from the beginning. (Smith, 2010, p. 11). Peddicord also notes that new technologies will play a major role in resolving the issues of HIPAA compliance and medical research. “The Federal Drug Administration (FDA) plans to ‘bring the analytics to the data’ rather than the other way around.” (Peddicord et al., 2010, p. 2085). Encryption tools may be used to deidentify data and authentication procedures may be enhanced to maintain data integrity. (Peddicord et al., 2010, p. 2085).

The United States has been slow to adopt electronic health record (EHR) systems. It has been noted that the United States healthcare industry only spends 2% of revenue on health information technology. (Gupta & Murtaza, 2009, p. 22). Now, there are financial incentives for health organizations that migrate to electronic health record systems and also fines if they don’t migrate by 2014. So far, as noted in Smith’s research, many security issues remain with the systems. Another potential issue is that there may be several vendors who gain EHR certification. A potential issue will be to assure that all health care systems can share information.

Finally, there is a potential public health issue associated with HIPAA. Syndromic surveillance, the electronic monitoring and reporting of real-time medical data, may identify a bioterrorism attack at its earliest stage, and early notification could lead to disease containment and widespread prophylactic treatments such as antibiotics or vaccinations. (Nordin, Kasimow, Levitt, & Goodman, 2008, p. 802). The monitoring act could itself be in violation of HIPAA privacy regulations. To further complicate this scenario, public health laws are different from state to state.

These rules and laws can and should be engineered into a system from the ground up. It’s virtually impossible to eliminate the element of risk from any enterprise. There are many opportunities for effective risk management in the healthcare industry. The social media explosion may have added a few threats here and there. It has also opened up access to useful health information for people all over the world.

References

Facebook Press Room. (2011, March). In Facebook (Ed.), Statistics Facebook. Retrieved March 1, 2011, from Facebook Web site: http://www.facebook.com/press/info.php?statistics

Faresi, A., Wijesekera, D., & Moidu, K. (2010). Proceedings of the 1st Acm International Health Informatics Symposium, 637 - 646. doi:10.1145/1882992.1883093

Guarda, P., & Zannone, N. (2009). Towards the development of privacy-aware systems. Information and Software Technology, 51(2), 337-350. doi:10.1016/j.infsof.2008.04.004

Gupta, V., & Murtaza, M. (2009). Approaches To Electronic Health Record Implementation. The Review of Business Information Systems,, 13(4), 21-28. Retrieved from ABI/INFORM Global. (Document ID: 1943859181)

Hackworth, B., & Kunz, M. (2010). HEALTH CARE AND SOCIAL MEDIA: BULDING RELATIONSHIPS VIA SOCIAL NETWORKS. Academy of Health Care Management Journal, 6(1), 55-68. Retrieved from ABI/INFORM Global. (Document ID: 2232283551)

Nordin, J., Kasimow, S., Levitt, M., & Goodman, M. (2008). Bioterrorism Surveillance and Privacy: Intersection of HIPAA, the Common Rule, and Public Health Law. American Journal of Public Health. American Journal of Public Health, 98(5), 802-807. Retrieved from ABI/INFORM Global. (Document ID: 1470840051)

Peddicord, D., Waldo, A., Boutin, M., Grande, T., & Gutierrez, L. (2010). A Proposal To Protect Privacy Of Health Information While Accelerating Comparative Effectiveness. Health Affairs, 29(11), 2082-90. Retrieved from ABI/INFORM Global. (Document ID: 2190587141)

Smith, Ben. (2010). Challenges for protecting the privacy of health information: required certification can leave common vulnerabilities undetected. Proceedings of the Second Annual Workshop on Security and Privacy in Medical and Home-Care Systems (spimacs '10). doi:10.1145/1866914.1866916

share